Developer’s Silence Raises Concern About Surespot Encrypted Messenger

In June 2014, I suggestedSurespot Encrypted Messenger to visitors to AntiPolygraph.org as a secure means of contacting me, and I’ve been including my Surespot address (georgemaschke) in my signature block on message board posts and e-mails, as well as on AntiPolygraph.org’s contact page. Now I’m not so sure about Surespot. I fear the developer may have received a secret demand to facilitate electronic eavesdropping on Surespot users, as did Ladar Levison, who operated the now defunct Lavabit e-mail service.

Surespot is a free, open source, easy-to-use app for Android and iOS that allows users to exchange encrypted messages using public key cryptography. The source code is available on GitHub. Surespot is provided by 2fours, a small company run by Cherie Berdovich and Adam Patacchiola of Boulder, Colorado.

Before recommending Surespot, being cognizant of the Lavabit saga, I e-mailed Berdovich and Patacchiola to ask about any governmental demands for information, sending the following questions on 31 May 2014:

1 – Have you ever received a National Security Letter?

2 – Have you ever received a court order for information?

3 – Have you ever received any other request to cooperate with a government agency?

Berdovich replied that the “[a]nswer to all three questions is no.” Because Surespot’s website doesn’t include a warrant canary, I wrote again on 12 Novembember 2014 asking the same three questions. Patacchiola, who programmed Surespot, replied the same day: “1 and 2, still no, 3 we have received an email asking us how to submit a subpoena to us which we haven’t received yet.”

The following day, I asked Patacchiola if he could say what agency or organization is seeking details on how to submit a subpoena. He did not reply.

In April 2015, I sent Patacchiola a similar set of questions but received no reply. I wrote again on 25 May 2015, asking:

1. Has 2fours received any governmental demand for information about any of its users?

2. Has 2fours received any governmental demand to modify the surespot client software?

3. Has 2fours received any governmental demand to modify the surespot server software?

4. Has 2fours received any other governmental demand to facilitate electronic eavesdropping of any kind?

If the answer to any of the above questions is yes, can you elaborate?

I have also attempted to contact Berdovich and Patacchiola via the Surespot app itself but have received no reply. While its possible that they’ve simply tired of being pestered by me about government demands for information, I don’t think that’s the case and suspect they are under a gag order.

Surespot is doubtless of interest to U.S. and British intelligence and law enforcement agencies because of its adoption by English-speaking supporters of the Islamic State. In February 2015, the U.K. Daily Mail reported that the Islamic State in Iraq and Syria (ISIS) was using Surespot to recruit British brides for jihadis:

While Islamic State supporters may use Surespot, so too do a diverse group of people, including individuals who wish to contact AntiPolygraph.org privately. The Google Play Store indicates that the Android version of Surespot has been installed 100,000-500,000 times. It would be inappropriate for any government agency to take action that would compromise the privacy of all users of a messaging service in the course of its effort to investigate one, or a few. But that is what happened to Lavabit, the privacy-focused e-mail service used by NSA whistleblower Edward Snowden. The government secretly ordered Lavabit’s proprietor, Ladar Levison, turn over his server’s secret key, and forbade him from telling anyone about it.1 I fear something similar may have happened to Surespot’s Adam Patacchiola.2

Update (12 June 2015): The day after this post went online, on 8 June 2015, the Surespot server (server.surespot.me) experienced an outage, two references to which are to be found on Surespot’s Facebook page. Two days thereafter, on 10 June 2015, the U.S. Department of Justice filed a Statement of Facts (PDF) in U.S. v. Ali Shukri Amin that mentions the use of Surespot by the defendant, a supporter of the Islamic State in Iraq and the Levant (ISIL):

11. In or about late November or early December 2014, the defendant put RN [Reza Nikbakht] in touch with an ISIL supporter located outside the United States via Surespot in order to facilitate RN’s travel to Syria to join and fight with ISIL.

…

18. On January 16, 2015, an overseas ISIL supporter communicated to the defendant via Surespot that the group of ISIL supporters, including RN, had successfully crossed over into Syria.

The Statement of Facts does not specify how the Department of Justice came to know these details. Under terms of the plea agreement (PDF), Amin “agrees to provide all documents, records, writings, or materials of any kind in [his] possession or under [his] care, custody, or control directly or indirectly to all areas of inquiry and investigation.”

In addition, Amin also agrees that, at the request of the United States, he “will voluntarily submit to polygraph examinations, and that the United States will choose the polygraph examiner and specify the procedures for the examinations.”

Update 2 (26 July 2015): In a Twitter post today, information security researcher “the Grugq” reports having received confirmation that Surespot has been compromised:

Do not use SureSpot. It has been backdoored/broken to facilitate monitoring. I have received confirmation of this: https://t.co/LlffyxEMy3

Update 3 (16 September 2015): In a blog post dated 14 September 2015–its first in more than a year–Surespot claims that it “has never been compromised,” that “the privacy of all communications on our system is secure,” and that it “is not being forced to shut down or build a back door for authorities to monitor user communications.” The post does not address whether any metadata associated with the Surespot message server has been provided to authorities. Such metadata includes user names, friend relationships, conversation relationships, message timestamps, and possibly, user IP addresses.

Levison contested the secret order in court, but lost. He ultimately turned over his secret key after shutting down Lavabit entirely. He was threatened with arrest for closing his own business. [↩]

On 22 May 2015, the Daily Mailreported that Cherie Berdovich “left the [Surespot] organisation last summer.” [↩]

It’s probably no coincidence the Surespot guys keep quiet; I can’t imagine they stopped responding because they got tired of answering your questions (given what it must lead you to believe, that’d be incredibly stupid).

Have you heard of Threema? This secure messenger is based in Switzerland, where strict privacy laws prevent such government interventions.

Even if an app is developed in a good jurisdiction, it is delivered to your device by a US company (Apple, Google, or Microsoft) which can be legally compelled to give you (or ‘update’ you to) a modified version or sideload a bit of covert surveillance code. NSA simply will not allow “secure communications” apps to operate unchecked.

Thanks for publishing this. It’s relevant to security issues way beyond antipolygraph.org, and any attention it draws to your own work is also a Good Thing.

The problem at hand is a special case within a larger context: No product or service can guarantee confidential or anonymous communication. People need to examine their security needs vs. the adversaries who create those needs on a case by case basis, and find best fit solutions. The objective is not to make it impossible to breach one’s security – that is impossible – but to make it cost likely adversaries more than it is worth for them to do so, without spending more than it is worth to protect your own assets. In this context, good enough solutions are usually available.

If I wanted to communicate “very privately” with your organization under adverse conditions, such as protecting a lucrative security clearance, my first option would be “do not do it at all.” I might ask a trusted friend or family member to download and print documents for me.

My second choice would be to use TOR via the TAILS operating system at an open residential WiFi router, download any documents I need and wrap it up quickly. Using any “anonymous” communication tool that does not have a long track record and/or has not received substantial peer review would be out of the question, as would using any application however trustworthy, on an inherently insecure platform i.e. a Microsoft operating system or any “smart phone.”

Another factor, relevant when State adversaries are included in the threat model, is that some methods of breaking network security are “too secret” to be disclosed by using them against low level adversaries, because this might lead to much more important targets learning that the attacks in question exist. This may be a very relevant factor for visitors to antipolygraph.org, since the hostile actor in this instance is a clusterfuck of State Security services.

Personally, I am quite sure that the TOR network (and all other remix networks) are vulnerable to a simple but rather expensive attack that enables tracking of most users, most of the time; but also, that this capability is “really” secret and used for genuine military intelligence purposes only. If private parties using TOR, i2p, Mixmaster or etc. were penalized for policy or legal violations discovered through de-anonymization, no intelligence service or “terrorist” organization, however low budget, would continue to use those networks. The continued value of attacks in this category depends on not using the intel they make available except in cases of genuine importance to The National Interest. (We used to say “National Security” but nowadays aggressive trade wars have displaced that as DoD’s principal mission.)

Anyhow, thanks again. I have been a fan for a long time and I use any excuse I find to promote antipolygraph.org.

Why would anyone who has any idea about security and encryption recommend Surespot for secret communications. First, if you look at the Electronic Foundation ratings, you will see that the software has NOT been audited. Second, unlike other chat messengers (in the same list), if an adversary could obtain the keys, all prior communications would be exposed. Third, just look at surespot’s website: https://www.surespot.me/documents/threat.html they store lots of metadata and other information, such as who is friends with whom and who blocked whom, conversation relationship, friendship relationship. Seems pretty unusable, unless you want to monetize that info. Forth, the messenger relies on Google Cloud Service (GCM), which means you are already known/registered with Google and any and all 3-letter-folks. If you have GCM, Google owns your device and can get all the outgoing data before it is encrypted and all incoming data after it is decrypted. These are 4 red flags that would scream at a knowledgeable person to stay away from the service.

@Tele: many other encrypted messaging apps likely store or have access to the same (meta)data/social graph information as SureSpot list on the page https://www.surespot.me/support.html , the fact that they’re being open about it is a good sign. Very few encrypted messaging apps are actually designed to protect metadata.

Has anybody got any theories as to how they might have implemented a backdoor? If the iOS/android apps have been modified to implement snooping, then shouldn’t it be possible to detect/find it through reverse engineering, given that the source code is available?

Every service that provides a “private key backup” facility and collects meta data can be and will be exploited by governments. The user has to learn that this kind of data and a private key belongs only to its owner and that they have to protect these things. There is no way to shift that responsibility to someone else without breaching security and confidetiality. You wouldn’t hand over the keys to your safe to a private company to “manage” it for you, would you?
How it should work can be learned on http://www.peemail.org which is the only project that tackles this problem so far.